Saturday, April 9, 2011

Day 3 was another great day: we had a couple of cybercrime talks, Ruby on rails, DNIe , USB autorun for Linux and the solution to the conference crackme. I want to take a chance to thank the organizers, I really enjoyed this conference, the people were great and the talks interesting and I hope to be back next year, maybe even to present a talk.

As usual I welcome comments, either here or directly to me - feel free to let me know anything constructive.

Raoul Chiesa / Keynote

Raoul's keynote focused on cybercrime and UNICRI and their hacker profiling project (HPP). Cool quote - "you got information, you got power". The talk was cool and included parts focusing on who's behind cybercrime that I won't recount here out of respect to the fact he asked not to record anything during these parts of the talk. He shared his views on why cybercrime works:

New user every day = new fools every day

Making money(fits to the economical crisis)

Technical know how is easy to get

Back in the day we worked hard to get something

Easy to recruit idiots ("mules")

Psychological - "they will never find me/bust me"

Psychological - Lack of violent actions

And how HPP classifies hackers:

Amateur

Wanna be lamer (9-16)

Script kiddie (10-18)

Hobbyist

Cracker (17-30)

Ethical hacker (15-50)

Quiet, paranoid, skilled hacker (16-40)

Pros

Cyber warrior (18-50)

Industrial spy (22-45)

Gov agent (25-45)

Military hacker (25-45)

He had a lot of interesting stuff to say and the talk actually went overtime. I can't possibly begin to recount even the public parts of the talk in a short summary but I highly advise you to listen to him if you get a chance.

Joernchen of Phenolit / Ruby on Rails form a code auditor's perspective

This talk focused on how to audit Ruby on Rails (RoR) code. Key points:

3 layers called MVC - Models, Views, Controllers - review them

Start from the controllers

Look at the database

Look at the filters

RoR has some fancy magic that can go wrong - for example: mass assignments (CCC.de had a vuln because of using this)

Nice talk and definitely someone you should talk to if you audit RoR, personally this isn't in my focus areas.

This talk focused on ways to defeat the DNIe which is the Spanish government system of digital IDs used for authentication and non-repudiation certificates. Basically he implemented an attack against the untrusted terminal problem that the PC is posing between the DNIe device and what it authenticates to. There are two ways to use DNIe for web auth: Java applet or SSL + client certificate. The device itself has an EAL 4+ certification and defends against most hardware tampering attacks. What he found were two practical attacks on the terminal:

Write a fake interface library that acts as an RPC server connecting his machine with a remote DNIe

Write a fake java applet that acts as the proxy and runs on the client machine (easier)

He proposed a solution that I personally disagree with to use "distance bounding" == measure response time and disallow slow responses.

Jon Larimer / USB autorun attacks against Linux

This talk focused on how to implement autorun attacks against Linux and showed one successful attack. To be exact it is successful against GNOME. So first of all the specs of freedesktop.org forbid systems from running code without asking the user. That being said a lot of processing is done when a new storage device is connected: file system drivers execute, file browsers read the contents and thumbnailers create thumbnails. These attacks are basically physical access which usually means "game over" because you can use DMA attacks using 1394 vulns and other attacks like cold boot attacks. However, assuming the latter is complicated for you and you are on a system where protections for against 1394 DMA attacks were implemented you need another way. From here on Jon described his processes of research which I will skip directly to the end - he decided to focus on Thumbnailers used by Nautilus (GNOME file manager). He found a vulnerability in the Evince thumbnailer for DVI files (among others). Luckily (or unfortunately, depending on you view) Evince uses AppArmor and compiles as PIE, in addition the kernel has ASLR enabled (but 32bit system). He worked on overcoming this:

ASLR and PIE can be defeated by brute forcing -

On a 32bit system there are only about 3000 addresses that the Linux kernel can load libc to.

Using this we can just generate 3000 files - 1 for each address

Loading will be slow (about 10 min), but success is almost sure

Interesting result he found were that in his statistics around 10% of the addresses were used significantly more than others

So you can create only about 300 files and have high chance of success

He says he didn't research why is this. This is something that someone should really pay attention to.

AppArmor can be worked around

Doesn't protect against X11 library calls

He showed a demo of killing the lockscreen using a USB stick. Jon Oberhide added an interesting comment that there is a rather new layer for partition parsing in Linux that had a lot of bugs recently.

Yuval Vadim Polevoy / Money is in the eye of the beholder: new and exciting ways to steal you money

This talk again focused on Cybercrime, Yuval is from RSA research lab and really interesting to talk to. He focused on how cyber-criminals make money and the underground economy. I will recount some of the most interesting points, I'm not sure I can do justice to the details but that is the cost of summarizing...

A cybercrime operation requires:

Bots

Campaign

Drop point

Bot plugins

Hiring & managing mules

Establishing covert channels

Maintain fast-flux (optional)

The skill set required for that is:

Low level programmer

Oday researcher

Spammer

Hosting owner

JS programmer

HR recruiter

E-commerce export

IT specialist

These are too many skills for most people, so the common solution nowadays is outsourcing parts of this effort to others.

For the end, he focused a bit on the future techniques that malware authors will use, in particular screen grabbing. Yuval showed a demo of two techniques that can be used for screen grabbing in Windows, thus defeating on screen keyboard and allowing other stuff like cheating in online poker…

Eloi Vanderbéken / Hackito Ergo Sum crackme

For the end Eloi talked about the crackme. I won't go into all the details but here are the highlights:

Verification alg - based on modified RC4

Obfuscation

Inst. Mutation

Control flow graph obfuscation

Encryption layers

Direct native API call

Using sysenter (also uses a lot of random invalid syscalls) which is why the crackme only worked on 32bit systems

Anti-X

Anti debugger

Anti-instrumentation

This was especially interesting to me, in particular because Eloi used Pin as the example for instrumentation engine

Friday, April 8, 2011

Day two of HES 2011 brought even more awesomeness. I will summarize the talks here:

Keynote - Rodrigo Branco (BSDaemon) / Behind the scenes: security research
First up was Rodrigo giving a keynote ( which shows he is old :P ) he focused on the state of the industry and mentioned several key points that might be debatable:

there are a lot of snake-oil security experts, its really hard to find real experts

0days are nowadays spreading in minutes to all vulnerable hosts

lots of "vulnerabilities" released are not exploitable or at best have an exploit that works only on the VM of the guy that developed it and nowhere else

The new generation of hackers is not coming - most of us grew in a time where using a computer was a challange, now its just plug&play, GUI, etc...

he went into security myths common in the industry

I'll settle for repeating two interesting points he made since this is a short summary:

What is the difference between rouge AV and a real AV?

both do not guarantee anything

both have "premium options" you can buy

both have a nice GUI (although rouge AVs usually havea nicer one)

both will slow your system

both will have false alarms

All companies benefit from having a security research team but you need to know how to build and work with one:

James Oakley and Sergey Bratus / Exploiting the Hard-Working DWARF
Due to circumstances I couldn't avoid I had to miss this talk which is really worthwhile. I have done some work on DWARF for instrumentation but was interested to see it from an exploitation point of view, especially since they say it is Turing complete.
Slides (from shmoocon actually): http://www.cs.dartmouth.edu/~electron/dwarf/

Jon Oberheide & Dan Rosenberg / Stackjacking Your Way to grsecurity or PaX Bypass
In this talk the authors showed how to exploit the Linux Kernel in spite of hardening mechanisms like GRSecurity or PaX. They took an interesting approach - not focusing on a specific vulnerability but making a minimal set of assumptions on the situation and showing any vulnerability and situation satisfying these assumptions can be exploited.

Kernel protection Assumptions:

Zero knowledge of kernel address space

Fully randomized kernel text & data

Cannot introduce new code into Kernel address space

Cannot modify kernel control flow (e.g. data only - no ROP)

Attacker assumptions:

#1: can do arbitrary kmem write

Requires some knowledge of some kernel layout information leak to exploit

#2: Kernel stack memory leak

AKA "the Dan Rosenberg" :P

taking this into account they developed a 3-stage exploitation technique: KSTACK leak --> stack groping --> overwrite a specific part of thread_info struct. Going into details will require a whole post at least so I will mention the highlights only, for more details try Oberhide's homepage (nothing up yet) or Dan's blog (seems abandoned). For now I will focus on two points:

In order to get all the information needed from a Kernel stack leak they developed a library called "libkstack" - it works with a leak of 3-bytes and up.

Stack grouping is a name to techniques they invented in order to actually exploit

kernel_ds - invented by Dan R. focuses on using set_fs() to change addr_limit in the kernel

Obergroupe - invented by Oberhide - uses a child process to clobber a process stack frame while it is inside a syscall (race condition)

Exploitation is pretty safe and takes about 1-2 minutes according to their demo.

Adobe started using ASLR and DEP which is great, but only on new Windows systems. also seems implementaiton is partially lacking since some DLLs (e.g encryption) are loaded to a pre-defined address.

Adobe works on sandboxing using Win process privileges and IPC limitations, a lot more work is required

need to implement security features for non-Windows platforms as well

need to compile to 64 bit - will reduce chances of spraying

Aaron Portnoy & Logan Brown / Concentrated Fire: Black Box Auditing Adobe Shockwave
The guys from TippingPoint gave a similar talk to the one from CanSecWest so no need to go deep here. Some cool stuff:

They use a lot of Dynamic Binary Instrumentation to analyze SW

Shockwave uses a private memory manager called SmartHeap

they crowd-sourced the exploitation of the crashes they discovered during Recon

If shockwave lacks a vulnerable component on your target don't worry - it will DL it for you :)

ZDI will not buy any more shockwave bugs or touch shockwave from now on!

Kevin Redon & Ravishankar Borgaonkar / femtocells : inexpensive devices to test UMTS securityFor those of you that don't know a femtocell is a small cellular base-station that works in a really limited range. Basically your phone connects to the femtocell that connects to your provider network over the internet. First part of the talk focused on taking control of the femtocell firmware, I will skip this except they used the recovery mode, which shows how careful you need to be with such features. you can buy a Femtocell in 12 countries, see femto-forum for details. Once you are in control you can do some cool stuff:

Thursday, April 7, 2011

Itzik Kotler / Let Me stuxnet you
Although the name of the talk has Stuxnet in it it does not another one of these boring Stuxnet talks but focuses on Permanent DOS (PDOS) of your hardware using all sorts of methods. This is a research that is still WIP.
Several key concepts:

SW can harm HW by making it perform harmful operations

SW can harm FW and cause it to do harmful operations

SW can take advantage of one piece of HW to harm another HW

PDOS can be achieved in many manners:

Phlashing - overwriting FW on Flash to brick parts

over-clocking

over-volting

over-using - esp. in mechanical parts

power cycling - uses temperature flection

Can attack CPUs, GPUs, RAM, HDDs, SSDs, Flash, NICs, CRTs, Floppys and more...
Interesting focus on examples how to implement these attacks so the user doesn't realize it's done until his system dies.

Marc Heuse / Recent advanced in IPv6 insecurities
This is Van Hauser from THC. First part of the talk focused on IPv6 basics. He then covered some attacks against IPv6 he released since 2005 and then went on to talk about new attacks - I'll try to cover everything real quick. In particular I liked the quote: "if you start fuzzing things will blow up".
First it is important to mention the THC IPv6 attack tool he is developing, many parts of which are not yet released BUT if you join the dev team he is willing to share (and he is looking for help)... He also released a new version of THC Hydra during his talk.
So, a real quick overview of IPv6 attacks he mentioned (only the headlines or I won't finish this post):

ARP Spoofing => ND spoofing

Duplicate address detection DOS

Many ways to MITM using redirects

Using Autoconfig (like DHCP but built in IPv6) for pretending to be a router

Tarjei Mandt / Kernel pool exploitation on Win7
This talk was too technical to go into details in a brief summary - see the slides for details.
The short version is as following: Win7 has protections in the kernel pool - these are not good enough. several tehcniques were invented by Tarjei to bypass these and two exploits for CVEs were shown.CVE-2010-3939 (MS10-098) - Used Quota process pointer to exploitCVE-2010-1893 (MS10-058) - Used Pool index overwrite to exploit
If you like kernel exploits on Windows you really should check out Tarjei's slides and blog.

Sebastien Tricaud / Capture me if you can!
Sebastien discussed handling incidents in large networks (country level). He talked about capture methods like: PCAP, netfilter queue, DAQ and others. And on data processing techniques - how to find meaningful information in logs. He made a very convincing point on log "0day" - due to not collecting or collecting information incorrectly you can lose important information,
In my view, the most interesting news in the talk were:

Using visualization to handle large data sets (not a new idea, I admit):

The first half day of HES 2011 is done. The first two talks were pretty cool, I'm gonna post some quick summaries:

Keynote - Eric Freyssinet / hacking investigations
Eric manages a team in the Gendarmerie (one of the two French police forces) that focuses on internet investigations. He was formerly working in Forensic analysis team in same org. His team opens over 600 cases per year, focusing on child porn and most of the rest on fraud.
Mentioned a trend of serious cyber-criminals using kids as "mules" to perform crimes. e.g. a 14 year old from an online hacker community was used as a mule to transfer money from hacked PayPal accounts to the criminal's accounts.
He mentioned a bit about anonymous and said they coordinated some of their attacks against Bank of America from French servers that his team had to take down. He also mentioned the recent espionage case against French govt. and that leads point to China and that they're trying to work with Chinese authorities to find the sources.

Mate Soos / Breaking Industrial Ciphers at a Whim
I really enjoyed this talk. Anybody that is security minded knows that you shouldn't invent your own crypto, especially not closed source one because:
A. it will be reverse enigneered
B. it will probably be broken
Mate focused on HiTag2 which is a Philips cipher used for access control for cars, military bases, etc...
He basically converts the problem to a SAT problem in CNF format and then feeds it to a SAT solver - really cool. He estimates it shouldn't take more than 48 hours to break a HiTab2 key from transaction data.
Mate is one of the lead devs on the open source CryptoMiniSat project that won SAT Race 10. He also had some cool visualizations I hope he will share on his homepage.

I have high hopes for Itzik's talk about permanent denial of service in the afternoon

Saturday, April 2, 2011

I haven't had a lot of time this week to do stuff I can write about in this blog because I was really busy @ work. In and of itself that is cool becuase being busy at work usually means I'm doing some cool hacking but unfortunately I can't talk about my work here.

Binary Instrumentation for Hackers
In the limited free time I had I have been working on a presentation called "Binary instrumentation for hackers", I hope to present it at DC9723 April meeting, anybody coming? This presentation will probably become the base to a workshop proposal I plan on submitting to BlackHat USA 2011.
I also plan to post some material on binary instrumentation here so stay tuned. If you use instrumentation for hacking / security purposes please leave a comment - I'm really interested to know what others do.

Hackito Ergo Sum 2011
I'm going to attend HES 2011 (Apr 7-9). If you are going there let me know and I'll buy you a beer. This is a limited time offer to celebrate the start of this blog and I can afford about 10 beers so FCFS.
If you are not there, stay tuned: the schedule (PDF) looks awesome and I will try to post write-ups about the talks right here.

News stuff:
Well, I can talk about the RSA APT and whether or not it is an APT or about LizaMoon or the new SCADA attacks from GLEG (and also Tenable and VUPEN) and even about the funny false alarm about Samsung installing keyloggers on their laptops but I don't have the patience so follow the links if you didn't already hear about all this stuff.
I also saw an interesting post about CRAP in Assaf Nativ's Blog (home automation and fw/hw hacking).

-- Gal

p.s - feel free to comment with your opinions, requests, ideas how to improve this blog or just whatever